Mastering the Essential8 Framework for Cybersecurity Resilience

Mark Boyd
Chief Customer Officer

Download our Essential8 Audit Template

As a starting point, we’re giving you a valuable tool: a downloadable template for self-auditing your Essential8 compliance. This template, used in our professional audits, offers insights for everyone—from techs seeking granular control details to executives looking for high-level alignment with cybersecurity maturity.

Download Now

How to Stay Essential8 Aligned

Aligning with Essential8 is not a one-time achievement; it requires a dedicated, ongoing effort to maintain compliance. Without a structured, calendar-based approach, achieving sustained alignment is impossible. In other words, compliance is not a checkbox—it’s a daily, weekly, monthly, and annual commitment to rigorous security practices.

To truly stay aligned and secure, you must embed these practices into your organisation’s regular operations. Here are some time-bound activities essential for maintaining Essential8 alignment. Note that this is only a subset of all necessary controls, but these practices highlight the level of dedication required:

Time-Bound Activities for Essential8 Compliance

Protecting your business from cyber threats involves more than just buying the right software. It requires a holistic approach that includes both technological and human elements. Here’s how you can fortify your defences:

Application Control:

  • Validate application control rulesets annually or more frequently.
  • Log all allowed and blocked application events centrally.
  • Analyse event logs from internet-facing servers in a timely manner to detect cyber events.
  • Review and report cybersecurity incidents to the CISO or ASD as required.

Patch Applications:

  • Conduct automated asset discovery at least fortnightly for consistent vulnerability scanning.
  • Use a vulnerability scanner daily for online services and weekly for productivity suites, web browsers, email clients, and PDF software.
  • Apply patches within 48 hours for critical vulnerabilities and within two weeks for non-critical ones in online services.
  • Regularly remove unsupported applications to maintain a secure environment.

Configure Office Macro Settings:

  • Annually review trusted publisher lists.
  • Implement and lock down security settings for macros that restrict user modification.

User Application Hardening:

  • Analyse event logs from internet-facing servers promptly to detect cybersecurity incidents.
  • Follow ASD guidelines for hardening settings, focusing on web browsers and Office applications.
  • Implement strict logging and security configurations, such as disabling unnecessary legacy applications.

Restrict Administrative Privileges:

  • Disable privileged access after 12 months unless revalidated and after 45 days of inactivity.
  • Log privileged access events centrally, securing logs from unauthorised modification.
  • Analyse cybersecurity incidents promptly and report to relevant authorities like the CISO or ASD.

Patch Operating Systems:

  • Automate asset discovery at least fortnightly for vulnerability identification.
  • Use a vulnerability scanner daily for internet-facing systems and fortnightly for internal systems.
  • Apply critical OS patches within 48 hours and non-critical patches within two weeks.
  • Plan for deprecating unsupported operating systems within a structured timeframe.

Multi-Factor Authentication (MFA):

  • Centrally log successful and unsuccessful MFA events, protecting logs from unauthorised access.
  • Regularly analyse event logs for internet-facing systems to detect cybersecurity incidents.
  • Report incidents to the CISO and ASD as soon as possible after detection.

Regular Backups:

  • Test backup restoration as part of disaster recovery exercises, typically conducted annually.
  • Ensure backups are secure and resilient, restricting unauthorised access and modification.
  • Prevent backup modifications by privileged users during the retention period.

Using our free audit document

For those implementing Essential8 in their organisation, the McKinsey Pyramid Principle can simplify the framework’s structure and aid stakeholder communication. This principle advocates a top-down approach to thinking and communicating, which is well-suited to the Essential8 framework.

Visualize the Essential8 framework as a pyramid:

• At the top

You have your overarching maturity level for each control area. For instance, what is your organisation’s maturity level for application control? Are you at Maturity Level 1, where basic restrictions are in place, or Maturity Level 3, where robust controls and extensive logging are fully integrated?

• In the middle

You have individual control requirements, such as patching applications or limiting administrative privileges. These are the building blocks of each control, and they provide a more detailed understanding of your compliance standing.

• At the base

You find the detailed actions required to meet each control, like configuring software settings, applying patches, or analysing cybersecurity logs. This is where the technical implementation happens, and where your organisation can understand exactly what is needed to achieve each maturity level.

By working from the top down, you get a clear view of your overall alignment and then drill down into the specifics. This method allows you to approach Essential8’s requirements systematically, helping you assess and improve your security posture over time.

For the visual learners among us, see below
Essential8 framework pyramid

Executive Summary
What’s your overall attainment? This is what company executives want to see.

What’s your attainment per control?
What is the headline of attainment against each control for the eight controls?

What is the detail of each control?
Here you get technical; each control has its own unique requirements guiding you on what you need to do to be compliant.

Appendix & Support Evidence
Then, provide evidence, screenshots, and detailed summaries of our findings.

 

Essential8 Compliance Tools

While some vendors claim their tool alone can ensure compliance, Essential8 requires a variety of tools. As an MSP, we leverage a suite of applications to meet Maturity Level 3 standards for our clients, including:

• Application Control

Intune, Airlock (ThreatLocker)

Intune
Intune
Airlock-Digital
Airlock-Digital

• Patch Applications

N-Able, Microsoft WSUS, Intune

Intune
Intune
N-Able
N-Able

• Office Macro Settings

Microsoft 365 Advanced Threat Protection

Microsoft Defender
Microsoft Defender

• User Application Hardening

Airlock, ThreatLocker, and other hardening tools

Airlock-Digital
Airlock-Digital
Threat Locker

• Administrative Privileges

Delinea Secret Service

Delinea Secret Service

• Patch Operating Systems

N-Able, Microsoft WSUS, Intune

Intune
Intune
N-Able
N-Able

• MFA

Duo Security, Microsoft MFA

Duo
Duo
Microsoft Authenticator

• Backups

Veeam, AvePoint

veeam
AvePoint
AvePoint

For more information, download our template to start your self-audit today. Remember, compliance is a journey—let’s make that journey together, with Essential8 as our roadmap.

Fill in the form to download the Essential8 Template.

Author

Mark Boyd

Chief Customer Officer (CCO)

Mark Boyd is a Chief Customer Officer (CCO), plays a key executive role responsible for overseeing the entire customer experience within alltasksIT. The CCO serves as the voice of the customer at the highest levels of the company, ensuring that customer-centric strategies are developed and implemented across all departments.